More Than 1 Million URLs Infected with Latest SQL Injection Attack

The "Lilupophilupop" SQL injection campaign has infected 1,070,000 URLs as of last weekend, according to the SANS Internet Storm Center.

This is up substantially from when the SQL attack was first noticed by SANS at the beginning of December -- the security firm only found 80 corrupted URLs. The cause of the quick spread is due to both computer and human input.

"At the moment it looks like it is partially automated and partially manual," wrote Mark Hofman, a SANS Internet Storm Center handler, in a company blog post. "The manual component and the number of sites infected suggests a reasonable size work force or a long preparation period."

According to SANS estimates, Netherlands Web sites (ending in the .NL domain) are the No. 1 victim, with 123,000 infected URLs, with France coming in second with 68,100 hijacked Web site addresses.

However, the more than 1 million sites estimated to be infected may be higher than the reality. According to Mary Landesmann, a ScanSafe security researcher (which is now part of Cisco), the number provided by SANS also may include Web sites discussing the Lilupophilupop attack, due to the fact that the company's data was compiled by performing Google searches.

"As a result, there is always a huge 'increase' [of keyword activity] after an initial public report is made, said Landesmann to Security Dark Reading. "In other words, counting the number of results from a search engine isn’t a good or viable means of measuring the breadth of a compromise."

The Lilupophilupop attack, named after the Web site infected URLs redirect to, is a basic SQL injection that could lead to an attacker gaining access to a user's database of Internet content, including passwords, credit card information and other personal data.

This newest SQL injection incident works in the same fashion as last year's LizaMoon attack, which was responsible for redirecting as many as 1.5 million URLs to a fake and malicious antivirus download.

As with all untrusted Web sites, always use caution and make sure your antivirus is up to date. Hofman also suggests the specific action of checking to see whether a site may have fallen victim to the Lilupophilupop injection attack: "If you want to find out if you have a problem just search for '<script src="http://lilupophilupop.com/' in Google and use the site: parameter to hone in on your domain."